Hi,
I would like to be use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.
I can configure the vMX fine and have it up and working in Dashboard but I can’t get my head round how to advertise an internet router back to clients on Spoke sites.
Hi @RyanJunk ,
Have you configured your Local subnets on the vMX? These automatically get advertised in the auto-vpn. So would you not advertise your Internet routers here to make them reachable from other sites?
Hi Darren,
thanks for the quick response, I’ve added both AWS VPC subnets to the vMX but still no joy.
Not sure if I need to add 0.0.0.0/0 as a local network to the vMX but that throw’s up a heap of warnings in dashboard.
Hey Ryan
On your edge MX that you’re connecting back to the vMX, do you see the AWS routes being advertised back and are they showing Green?
Look at your Route Table on the Network.
Darren,
The routes to both AWS subnets are there but one is red and the other is pending 🤦♂️
Which clearly isn’t a good sign.
From the AWS MX can you reach anything on the internal network? Are there devices behind it that you should be able to reach?
>I would like to use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.
AWS does not allow this. The AWS gateway will only NAT traffic for AWS subnets - not for remote subnets.
HOWEVER, you can actually make this work, by putting the VMX behind another virtual device that does NAT (like a virtual router or firewall). Your remote subnets will then come into the VMX, and then pass through the next virtual NAT device which will NAT your remote subnets to the IP address of the NAT gateway - which is from a subnet in AWS - and now that IP address can pass through the Amazon NAT gateway and get to the Internet.
You will need a medium AWS skill level to do this kind of deployment.
A simpler solution would be to deploy an old school proxy server and have the clients use that.
Personally, I would explore a better model - moving to a zero-trust approach - where security is not dependent on what IP address things on the Internet are accessed from. Instead, use things like MFA. But I appreciate this may not be trivial.